Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Symantec Revokes Wrongly Issued Certificates

Symantec has revoked numerous wrongly issued certificates, including for domains such as example.com and test.com. This is not the first time the security firm’s certificate issuance practices have come under scrutiny.

Symantec has revoked numerous wrongly issued certificates, including for domains such as example.com and test.com. This is not the first time the security firm’s certificate issuance practices have come under scrutiny.

The misissued certificates were spotted via the Certificate Transparency (CT) system by Andrew Ayer, founder of SSLMate. The expert discovered several certificates for example.com, which he confirmed were not authorized by the domain’s owner. He also identified certificates for domains such as test.com, test1.com, test2.com, and others containing the string “test.”

Ayer found more than 100 wrongly issued certificates attributed to Symantec and its subsidiaries GeoTrust and Thawte. The problematic certificates have several entries with the value “test,” which suggests they have been issued for testing purposes.

Steven Medin, PKI policy manager at Symantec, said the certificates had been issued by one of the company’s WebTrust audited partners. Medin said this partner’s privileges have been reduced to restrict further issuance and the reported certificates have all been revoked.

“We have restricted this partner’s issuance privileges while we continue to review this matter. While most of the listed certificates were already revoked by the partner, Symantec revoked all remaining valid certificates within the 24 hour CA/B Forum guideline. Our investigation is on-going,” Symantec told SecurityWeek.

Ayer has advised domain owners to monitor CT logs to determine if unauthorized certificates have been issued for their websites. Since this is not the first time Symantec has misissued certificates, the expert has also recommended excluding the company via CAA records, which allow users to specify which CA can issue certificates for their domain.

In October 2015, Google asked Symantec to improve its certificate issuance practices after Thawte was caught releasing certificates for google.com domains. The company claimed to have issued the certificates for testing purposes, but it ultimately decided to terminate some employees after completing its investigation.

Symantec’s certificate business also made the news in February 2016, when the company asked browser vendors to allow it to issue nine new SSL certificates signed with SHA-1 for Worldpay after the payment processor failed to upgrade some devices before the December 31, 2015, deadline.

*Updated with statement from Symantec

Related Reading: Google to Remove Symantec Root Certificate From Products

Related Reading: Google Adds Certificate Transparency Log for Untrusted CAs

Related Reading: Google to Distrust WoSign, StartCom Certificates

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.